Summary: | Make text track loading set same-origin fallback flag | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Rob Buis <rbuis> | ||||
Component: | New Bugs | Assignee: | Rob Buis <rbuis> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | Normal | CC: | annevk, cdumez, commit-queue, darin, dbates, eric.carlson, ews-watchlist, glenn, japhet, jer.noble, mkwst, philipj, sergio, webkit-bug-importer, youennf | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | Safari Technology Preview | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Bug Depends on: | 216672 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Rob Buis
2020-01-03 12:16:43 PST
Created attachment 386706 [details]
Patch
Comment on attachment 386706 [details] Patch This is the second and final part of the split mentioned in https://bugs.webkit.org/show_bug.cgi?id=205326. Comment on attachment 386706 [details] Patch Clearing flags on attachment: 386706 Committed r254031: <https://trac.webkit.org/changeset/254031> All reviewed patches have been landed. Closing bug. Reopening as this patch caused a regression where videos on jw.org fail to show subtitles. jw.org has captions hosted on Akamai where the .vtt file has CORS headers but the .mp4 file does not. So captions work if `crossorigin=anonymous` is added, but that breaks video rendering. Other browsers play captions fine without the `crossorigin` attribute, and there does not seem to be WPT tests that verify behavior for this scenario (!same origin, no-cors, headers present). Since this caused behavior regressions in the wild, and other browsers have not implemented this same behavior, we're reverting this on trunk for now. @Anne I implemented [1] but it seems to cause regressions in the wild, see comment 7. Do you know whether mozilla implemented this? Should the spec be changed? [1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request I guess other browsers do not use "same-origin" as the fallback and rather use "cors" always? And let credentials mode depend on the media element? It seems this is the only case where we pass the same-origin fallback flag and it might not be well tested. I do hope they all enforce CORS as there would be a security problem otherwise. `html/semantics/embedded-content/media-elements/track/track-element/track-data-url.html` does not really seem to test this as data URLs are considered same-origin. That does seem like a useful template to be able to add some cross-origin tests, though testing the credentials part might require some server-side logic as well. I filed https://github.com/whatwg/html/issues/6267 to track this standards-wise. I validated Chrome is using same origin as default. Some time has passed and identified breaking websites have been updated. Let's try to reland this behavior in https://bugs.webkit.org/show_bug.cgi?id=239381. |